GAO Faults FDA on Device Hacking Risks

A new GAO report finds that FDA has not considered intentional information security risks or device hacking of implantable wireless medical devices as a realistic possibility until recently.

Although it acknowledges that the agency intends to reassess its approach to reviewing software used in medical devices, the report says FDA does not plan to specifically address information security as part of this effort. Lawmakers requested the report after computer security experts demonstrated that certain devices could be intentionally compromised by hackers.

Device manufacturers have also been slow to publicly acknowledge potential computer security risks, according to the report. It found that the manufacturers of the two devices that were intentionally manipulated in the laboratory, a cardiac defibrillator and insulin pump, both failed to include information about known security vulnerabilities in their corporate annual reports and other publications.

GAO recommends that FDA develop a comprehensive plan to enhance its security risk review and oversight for wireless devices. It listed four minimum actions that the agency should include in the plan:

Increase its focus on manufacturers’ identification of potential unintentional and intentional computer security threats and vulnerabilities and strategies to mitigate these risks during its pre-market approval review process.

Utilize available resources, including those from other entities, such as other federal agencies, particularly the National Institute of Standards and Technology (NIST).

Establish a specific schedule for completing this review and implementing these changes.

“It is unacceptable that the Food and Drug Administration is ignoring the resources of other government agencies in evaluating life-saving medical devices,” commented Representative Donna Edwards (D-MD). “In the future, I expect the agency to utilize the computer security expertise offered by NIST and other federal agencies to assess the security risks posed by these devices. The FDA must address potential threats and close security gaps in order to have the full confidence of Congress and the American people.”

“Wireless medical devices are susceptible to increasingly advanced hacking techniques that could threaten patient health,” said Representative Edward Markey (D-MA). “Patients need to be informed about whether the medical devices implanted in their bodies contain security vulnerabilities that could harm them so they can take appropriate precautions whenever possible. This report underscores the need to require manufacturers to acknowledge these threats and for FDA to address the risks before the devices are sold to the public.”